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/s^ientication method for enabling a user of a mobile station to access to private 
data or services 

Field of the invention 

5 

The invention relates to a method for authenticating a user of a mobile station for 
accessing to private data or services, and more particularly to a text-message based 
authentication method. 

10 Background of the invention 

A user of a mobile station, such as a mobile phone, a feature phone, or an evolved 
laptop computer or a personal digital assistant (pda) having communication capabilities 
(compliant with GSM, CDMA, 2.5G, 3G, UMTS.., etc networks), or a smart-device (i.e. a 
combination of pda and mobile phone) enables its user to have access to remote 
source of data or services. 

As an example described in WO 02/076122, it is possible for a user of a mobile station 
to have access to a telephone directory service. Typically, the user place a call to a 
specific number and request a phone number. The requested phone number is received 
via a short message services (SMS) and can be further stored in the mobile station for 
later use. In such a system, the user selects the requested information by either 
accessing a web interface or indirectly through an operator. 

This access to the information is quite complicated and do not offer sufficient security, in 
particular when an access to private data or services is required. 

Object and summary of the invention 

Therefore it is an object of the present invention to provide a method and system that 
overcomes the at least one shortcoming of the prior art system. 

30 The present invention is based on a text-message based authentication method of a 
user/mobile station combination which enables the user of the mobile station to access 
to private data or services. 

According to the invention, the method comprises the steps of : 

- composing a request message on the mobile station, said message including a 
35 request for private data/services, and sending said request message to a private server 
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o^ing the access to said private data/services of a private database/service node, via 
the telephone network, 

- checking the authenticity of the user based on the request message received by the 
server, 

5 - if the user authenticity is confirmed, composing a response message including the 
requested private data/service of the private server, and sending back to the user said 
response message, via the telephone network* 

wherein the request message additionally includes a user unique identifier, and is 
received by the private server with an appended user mobile station number, and 
10 wherein the authenticity checking performed by the private server comprises the steps 
of: 

- checking whether the user unique identifier is stored in the private directory database, 

- checking whether the appended user mobile station number matches with the user 
mobile station number allocated to the user unique identifier stored in the private 

15 directory database. 

From the mobile station user perspective, the security is improved because the user 
knows to which private server number he has to send the request message, and he 
knows his own user unique identifier to be included in the request message. Security 
20 can be additionally enhanced if these data are not stored in the mobile station. 

From the private data or service provider, the security is improved because authorized 
mobile station user are listed in the private directory database of the corporation or 
organization, and two particular fields (i.e. the user mobile station number and the user 
25 unique identifier) are checked for authentication. Additionally, the response message is 
sent back to the originating mobile station number requesting the data/service. Security 
can be further enhanced if the request and response message are encrypted, 
particularly when routed on the telecommunication network. 

30 It is understood that such private data or services can be, as an example, corporate 
data or corporate services offered by a company to selected employees. Corporate data 
can be data of a corporate directory such as lightweight directory access protocol (Idap) 
database (also called Idap directory). Such a database offers professional and/or 
personal data about employees of a corporation, or known or authorized persons of an 

35 organization. Such data can be name, employee number, employee unique identifier, 
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a^, e-mail address, phone number, location, office number, personal picture, function, 
...etc. Corporate service can be for example technical data service, like providing an 
access to real-time data related to the corporate operations, e.g. providing 
measurement given by a remote sensor. 

5 

The message based authentication method of the invention provides a reasonable first- 
level identification and authorization of a mobile station user for accessing to private 
data or services which do not need a strong or high-level of security. 
Also, the method is simple and easy to use for any kind of mobile station that supports 

10 SMS (short message services), EMS (enhanced message services) or MMS 
(multimedia message services) type message. Today SMS message and in a close 
future EMS and MMS message are/will be available for users outside their home 
networks when roaming on visited networks. Thus, the authentication mechanism based 
on standard text message can use the worldwide available mobile phone infrastructures 

15 and services. 

Another advantage is that the method of the invention works independently of the 
mobile station identification and authentication of the network operators. Therefore, this 
method can be implemented smoothly without interfering in the phone network 
operation. 

20 Other characteristics and advantages of the invention will be described in more detailed 
in the following description of the invention and in one practical example of application. 

Brief description of the drawings 

The following detailed description, given by way of example, will be best understood 
25 with the accompanying drawings in which : 

- Figure 1 represents schematically a system for implementing the authentication 
method of the invention ; 

- Figure 2 shows a flowchart representing the different steps of the authentication 
method of the invention ; 

30 - Figure 3 illustrates the layout of a request message of the SMS type. 



Detailed description of the invention 

Figure 1 illustrates schematically the different elements of a system and their interaction 
for implementing the authentication method of the invention. This figure will be 
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d^ribed in combination with figure 2 which represents the different steps of said 
authentication method. 

In a first step 1, the user of mobile station MS compose a request message on his 
mobile station. This request message can be formatted as a SMS, EMS or MMS type 
5 message and is written with a specific layout. 

The request message comprises an authentication part and a data or service request 
part. Advantageously, the authentication part comprises a unique identifier of the mobile 
station user. The specific layout will be presented in more details with the description 
related to Figure 3 below. 
10 The request message is sent to a specific telephone number corresponding to the 
messaging gateway MG. The request message is routed across the telephone network 
N to the messaging gateway MG. The telephone network architecture, functionality and 
way of routing calls or message are well know by the man skilled in the art and 
therefore will not be further detailed. It is well known that the telephone network N can 
15 comprise, while not being limited to, a first mobile phone network GSM1 of a first mobile 
telecommunication operator covering a first area, a second mobile phone network 
GSM2 of a second mobile telecommunication operator covering a second area, and a 
public switched telecommunication network PSTN of fixed telecommunication operator. 
Said network N comprises at least one messaging center MC dedicated to manage and 
20 route SMS, or EMS, or MMS type message. Obviously, the structure, number of sub- 
networks and inter-connection can be more complex than what is shown on Figure 1 . 
Each of these local networks are inter-connected to each other to provide local, 
regional, national and international communication to any user of mobile station having 
subscribe to roaming capability outside its telecommunication operator home network. 
25 The messaging gateway MG will receive the request message. The messaging gateway 
is an interface between the network N and a private infrastructure PI. The private 
infrastructure PI comprises all the resources (internal network, server, computer, 
databases... etc) of e.g. a corporation or an organization. The private infrastructure PI 
shown in figure 1 comprises a processing server PS, a corporate directory database 
30 DB, a database or an equipment (e.g. a sensor) providing data D and a service node S. 
All other elements of this private infrastructure are omitted for sake of drawing clarity. 
In a second step 2, the received request message is routed by the messaging gateway 
to the processing server PS. The server separates the authentication part, the data or 
service request part, and the originating mobile station phone number from the request 
35 message. It is to be noted that originating mobile station phone number is tagged to the 
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ir^ming message as indicated in ETSI standard TS 100 901 related to Technical 
realization of the Short Message Service (SMS) (GSM 03.40 version 7.4.0 Release 
1998). Then the server check whether the user unique identifier of the authentication 
part is present on the private directory database DB. 

5 Here, the processing server PS has two functions, one is to process the message and 
the other is to authenticate the message. As an alternative (not shown on Figures), it is 
possible to have a message processing server and a distinct authentication server. In 
this case, the message processing server role is only to separate the authentication 
part, the data or service request part, and the originating mobile station phone number 

10 from the request message, while the authentication server only performs a look-up 
request on the private directory database DB. 

If the user unique identifier is not present in the private directory database DB, then an 
error sequence is generated by the processing server PS (step 3) and access to private 
data or services is denied. In this case, either a error response message is sent back to 

15 the mobile station, or alternatively not any response message is sent back to the mobile 
station in order to avoid possible unauthorized access through probing. 
In case, the user unique identifier of the authentication part is present on the private 
directory database DB, the user mobile station number assigned to the user unique 
identifier and stored in the private directory database DB is retrieved from the database 

20 DB by the processing server PS (step 4) or alternatively by the authentication server. 
This mobile station user number is recognized as being known and authorized to 
communicate with the corporation or the organization. 

After this successful private directory look-up, a second checking is performed (step 5). 
This second check consists in comparing the user mobile station number attached to 
25 the request message with the user mobile station number assigned to the user unique 
identifier and stored in the private directory database DB. 

It is to be noted that the user mobile station number is the cell-phone, mobile phone, 
feature phone or a smart-device number that is allocated and stored on the originating 
mobile station and allocated to this particular user in the Idap directory. As an example, 
30 this number is the assigned phone number of the SIM-card (SIM stands for Subscriber 
Identity Module) present in the mobile station for authorizing access to the 
telecommunication network. 

If there is no match between the two mobile station number than an error sequence is 
generated by the processing server PS (step 6) and access to private data or services 
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i^^jected. In this case, either a error response message is sent back to the mobile 
station, or alternatively not any response message is sent back to the mobile station. 
If there is a perfect match between the two mobile station number than the processing 
server PS performs the request for data or services asked by the user in the request 

5 message (step 7). 

After the processing server obtains the requested information from either the private 
directory database DB, or the database/equipment D or the services node S, a 
response message is composed which includes the requested private data and send 
back to the user mobile station number (step 8) via the network N. 

10 Depending of the request, either a SMS type message containing only text, or a EMS 
type message or a MMS type message containing image, video or graphics is sent back 
to the user. 

The authentication method can be used for authenticated access to a range of private, 
or corporate data or services independently of the mobile station type and 

15 independently of the wireless telecommunication services provider. It is understood that 
a user/mobile station combination can access multiple data/services offered by different 
company or organization. In this case, the user/mobile station combination needs to be 
known from the different company or organization providing the data/services (i.e. at 
least the user mobile station number and user unique identifier needs to be stored in a 

20 corporate directory of each company or organization). 

Figure 3 illustrates a particular example of realization of the layout of a request 
message of the SMS type used by the method of the invention. 

As described in ETSI standard TS 100 901 related to Technical realization of the Short 
25 Message Service (SMS) (GSM 03.40 version 7.4.0 Release 1998), a SMS type 
message can contain a maximum of 140 octets of data. 

The SMS request message comprises three fields F1 , F2 and F3. In this example, the 
fields F1 and F3 correspond to the service request part SP of the message, while the 
field F2 corresponds to the authentication part AP of the message. 
30 The field F1 can be a keyword for the service required on the remote private server PI, 
for example a Idap directory look-up service. 

The field F2 can be a keyword or a unique mobile station user identifier for the 
authentication of the mobile station user, for example a unique personal identifying alias 
of the Idap directory of the corporation. 




7 



Infield F3 can be a command, an action or a look-up request for data or services, for 
example contact details to be retrieved for a specified name in the Idap directory of the 
corporation. 

As an alternative, the field F1 can be omitted if a unique telephone number is assigned 
5 to each type of private service. This has also the advantage of simplifying the 
generation of the request message on the mobile station. 

A first application using the method of authentication of the invention is the 
authentication of a user to query remotely a corporate Idap directory, namely to look up 
contact details of an employee in the company database. 

As an example, a request message composed by the user Bob Jones for having contact 
details of a colleague Alice Smith would be : 

"LDAP Bjones2 Alice Smith*" 
LDAP being the keyword for directory look-up service (field F1), 

Bjones2 being the alias or unique mobile station user identifier of Bob Jones in the 
corporate Idap directory (Field F2), and 

Alice Smith* being the name of the person for which contact details are needed. The 
star * representing a wild card. 

As an example, the response message will show the result of the corporate Idap 
directory look-up : 

"Contact details for Alice Smith-Cooper: 
Tel: +23-4472-6468 
Mobile: +23-6721-3234 
Email: asmithcooper@corporation.com" 

From the mobile station user perspective, the security is improved because the user 
knows the specific layout required to compose the request message and also its own 
unique identifier (alias). 

30 From the private data or service provider, the security is improved because only a 
request message in the required layout with a matching unique mobile station user 
identifier/ mobile station phone number combination can succeed the authentication 
checks. 
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G^ously, the request message is not limited to the particular layout described. The 
different fields F1, F2, F3, and the different parts AP, SP can be ordered and arranged 
differently. Nevertheless, it is necessary that both the user and the data/service provider 
use the same request message layout so that the service provider, in particular the 
5 processing server, is able to separate the authentication part from the service request 
part of the request message. 

Also the content of the fields are not limited to what is described as an example. In 
particular, the user unique identifier is a data that identify the user uniquely. The user 
unique identifier can be the user alias, or any other uniquely identifying field allocated to 
10 this particular user in the Idap directory. 

Advantageously, in order to further improve security, the request message and the 
response message can be ciphered by well known methods of the man skilled in the art 
which will not be describe (algorithms using symmetric or asymmetric keys). 

15 

A second application using the method of authentication of the invention is the 
authentication of a user to query technical or financial information on : 
- settings and status of remote system and equipment, namely temperature sensor, 
pressure sensor, valve, flow-rate sensor of an oil rig... etc ; 
20 - value of particular company share on the stock exchange market, PER, income, 
debt. . .of a company. . .etc. 

A third application using the method of authentication of the invention is the 
authentication of a user to remotely control a system or an equipment. In this case, the 
25 field F3 is a command like open, close, stop, start, adjust, set ...etc, associated to an 
identification number of the system or equipment or part thereof to be controlled. 
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1 . Method for authenticating a user of a mobile station (MS) for accessing to private 
data/services (D, S), comprising the steps of : 

5 - composing a request message on the mobile station, said message including a 
request for private data (SP), and sending said request message to a private server 
(MG, PS) offering the access to said private data/services (D, S), via the telephone 
network (N), 

- checking the authenticity of the user based on the request message received by the 
10 server (MG, PS), 

- if the user authenticity is confirmed, composing a response message including the 
requested private data/services (D, S) of the private server, and sending back to the 
user said response message, via the telephone network (N), 

wherein the request message additionally includes a user unique identifier (AP), and is 
15 received by the private server with an appended user mobile station number, and 

wherein the authenticity checking performed by the private server comprises the steps 
of: 

- checking whether the user unique identifier (AP) is stored in a private directory 
database (DB), 

20 - checking whether the appended user mobile station number matches with the user 
mobile station number allocated to the user unique identifier stored in the private 
directory database (DB). 

2. Method for authenticating a user of a mobile station for accessing to private 
25 data/services as recited in claim 1 , wherein the user unique identifier is a data related to 

the user of the mobile station, said data being stored in the private directory database 
(DB). 

3. Method for authenticating a user of a mobile station for accessing to private 
30 data/services as recited in claim 2, wherein said data related to the user of the mobile 

station is the lightweight directory access protocol alias of the user. 

4. Method for authenticating a user of a mobile station for accessing to private 
data/services as recited in one of the preceding claims, wherein the request message is 

35 a text message of the SMS type. 
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5^lethod for authenticating a user of a mobile station for accessing to private 
data/services as recited in one of the claims 1 to 3, wherein the request message is a 
MMS type message. 

6. Method for authenticating a user of a mobile station for accessing to private 
data/services as recited in one of the preceding claims, wherein the response message 
is a text message of the SMS type. 

7. Method for authenticating a user of a mobile station for accessing to private 
data/services as recited in one of the claims 1 to 5, wherein the response message is a 
MMS type message. 

8. Method for authenticating a user of a mobile station for accessing to private 
data/services as recited in one of the preceding claims, wherein the request message 
and the response message are ciphered. 

9. Method for authenticating a user of a mobile station for accessing to private 
data/services as recited in one of the preceding claims, wherein the requested data are 
stored in private directory database (DB). 

10. Method for remotely looking up information stored in a private database by a user of 
a mobile station, wherein the user is authenticated by an authenticating method as 
recited in claims 1 to 9. 

1 1 . Method for remotely controlling a private equipment by a user of a mobile station, 
wherein the user is authenticated by an authenticating method as recited in claims 1 to 
9. 

12. Method for remotely accessing to private data/services by a user of a mobile station, 
wherein the user is authenticated by an authenticating method as recited in claims 1 to 
9. 
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ATTRACT 

Authentication method for enabling a user of a mobile station to access to private data 
or services 

5 

A method for authenticating a user of a mobile station (MS) for accessing to private 
data/services (D, S) comprises the steps of composing a request message on the 
mobile station (MS), and sending it to a private server (MG, PS) offering the access to 
the private data/services (D, S) via the telephone network (N). The message includes a 
10 request for private data/services (D, S). The authenticity of the user is checked based 
on the request message received by the server (MG, PS). If the user authenticity is 
confirmed, a response message including the requested private data/services is 
composed and sent back to the user via the telephone network. 

The request message additionally includes a user unique identifier, and is received by 
15 the private server (MG, PS) with an appended user mobile station number. The 
authenticity checking is performed by the private server by checking whether the user 
unique identifier is stored in the private directory database (DB) and by checking 
whether the user unique identifier matches with the user mobile station number 
allocated to the user unique identifier stored in the private directory database (DB). 

20 

Figure 1 
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